b'     Audit of NARA\xe2\x80\x99s\n    Classified Systems\n\nOIG Audit Report No. 12-15\n\n\n      July 23, 2012\n\x0cTable of Contents\n\n\nExecutive Summary ........................................................................................ 3\n\nBackground ..................................................................................................... 5\n\nObjectives, Scope, Methodology.................................................................... 6\n\nAudit Results................................................................................................... 7\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations ............................................... 22\n\nAppendix B \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report ................................ 23\n\nAppendix C \xe2\x80\x93 Report Distribution List ........................................................ 24\n\x0c                                                              OIG Audit Report No. 12-15\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of Inspector General\n(OIG) completed an audit of the classified information systems at NARA. In accordance\nwith Federal requirements, NARA has developed policy to protect its classified systems.\nNARA Directive 202 establishes the agency\xe2\x80\x99s Classified Information Security Program.\nFurther, NARA Directive 804 establishes requirements for the operation, management,\nand control of information systems. During this audit, we assessed whether NARA\xe2\x80\x99s\nclassified information systems were properly managed and adequately secured.\n\nExecutive Order 13526, Classified National Security Information, dated December 29,\n2009, directs the agency head or senior agency official to establish uniform procedures to\nensure the confidentiality, integrity, and availability of automated information systems.\nThis includes networks and telecommunications systems, that collect, create,\ncommunicate, compute, disseminate, process, or store classified information.\n\nOur audit found that the confidentiality and security of classified information is at risk.\nAlthough NARA has developed classified information system policies in accordance with\nFederal guidelines, the Office of Information Services personnel, system owners, and\ndesignees responsible for ensuring the confidentiality, integrity, and availability of\nNARA classified information systems have not consistently implemented these\nrequirements. Specifically, of the seven classified systems reviewed, only one has a\ncurrent authorization to operate. Further, NARA officials have not taken the appropriate\nand sufficient steps to adequately manage their classified systems. Management\ndeficiencies identified include:\n\n   \xe2\x80\xa2   Weaknesses recognized during annual security assessments were not always\n       communicated and properly addressed;\n   \xe2\x80\xa2   Plans of Actions and Milestones were not always maintained, updated, or\n       reviewed, as required;\n   \xe2\x80\xa2   Inventories of systems and components were not always updated and completed;\n   \xe2\x80\xa2   Contingency Plans had not been developed and tested for all classified systems;\n       and\n   \xe2\x80\xa2   Continuous monitoring strategies had not been established or implemented.\n\nAs a result, the classified information NARA is entrusted with overseeing and securing is\nnot afforded the magnitude of protection required, placing undue risk on the overall\nsecurity of information at the highest classification levels. Without the proper oversight\nand accountability to ensure implementation of NARA\xe2\x80\x99s Classified Information Security\nProgram as it relates to classified information systems, NARA is hindered in its ability to\nadequately identify and reduce the vulnerabilities and control failures associated with its\nclassified systems, which places the confidentiality and security of classified information\nat risk. Although all risks cannot be avoided, the controls and processes identified in this\nreport are fundamental to the security of NARA\xe2\x80\x99s classified information systems.\n                                           Page 3\n                       National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 12-15\n\n\n\nDue to security considerations, specific information regarding the locations and systems\nreviewed have been omitted from this report and supplied to NARA officials separately.\nThis report contains 8 recommendations to assist the agency in strengthening the security\nand control of its classified information systems.\n\n\n\n\n                                        Page 4\n                     National Archives and Records Administration\n\x0c                                                                  OIG Audit Report No. 12-15\n\n\nBackground\n\nAs the Nation\xe2\x80\x99s record keeper, NARA receives classified records in electronic and paper\nformats, which are then processed and stored on various NARA classified systems.\nThese classified systems have specialized security needs and must be protected at a\nhigher level than unclassified systems in order to guard against unauthorized disclosure\nas well as loss or modification. It is critical that NARA ensure the appropriate security\ncontrols are applied to its classified systems or the safety of these systems and the\ninformation contained on these systems are at risk. Recent events surrounding the\ndisclosure of U.S. Government documents by WikiLeaks have emphasized the need to\nprotect and secure our classified national security information systems.\n\nIn 2004, we conducted a similar audit of NARA\xe2\x80\x99s classified Information Technology (IT)\nsystems 1. In this previous audit, we found NARA had not developed or implemented a\nclassified IT systems security program that included updated guidance pertaining to the\ntechnical security of classified systems. NARA had also not created a complete classified\ncomputer systems inventory listing. Consequently, numerous security weaknesses were\nfound in the classified system reviewed. Therefore, we recommended the Archivist\nensure that NARA classified systems were centrally managed by technically qualified\npersonnel by redesignating responsibility for those systems. We also recommended the\ndevelopment of the NARA Classified IT Systems Security Program; the identification\nand inventory of all NARA classified systems; and an initial certification and\naccreditation (C&A) of these systems be completed. Management concurred and\ncompleted each of these recommendations.\n\nAll NARA IT systems processing or storing classified information must be designed and\noperated in a manner to protect the availability, integrity, and confidentiality of the\ninformation. NARA Directive 202 provides the necessary guidance for the protection of\nclassified information before it is entered into an IT system, classified output that has\nbeen generated from the system, and for the physical environment surrounding the\nsystem. Further, NARA Directive 202 establishes the NARA Classified Information\nSecurity Program and identifies the responsibilities of NARA officials and designated\npersonnel for the protection and control of classified national security information,\nregardless of the media. Additional policies related to the operation, management or\ncontrol of information systems are contained in NARA Directive 804, Information\nTechnology Systems Security, and other Federal standards and directives, including the\nDirector of Central Intelligence Directive (DCID) 6/3, Protecting Sensitive\nCompartmented Information within Information Systems for Sensitive Compartmented\nInformation (SCI) level systems.\n\n\n\n\n1\n NARA OIG Report No. 04-10, \xe2\x80\x9cAssessment of the Controls and Security of NARA Classified Systems,\xe2\x80\x9d\nMarch 31, 2004\n                                          Page 5\n                       National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 12-15\n\n\nObjectives, Scope, Methodology\n\nThe overall objective of this audit was to determine whether NARA\xe2\x80\x99s classified systems\nwere properly managed and adequately secured. Specifically, we sought to determine\nwhether the security of NARA\xe2\x80\x99s classified systems complied with Federal and NARA\nsecurity policies and guidelines.\n\nTo accomplish our objective, we reviewed NARA policies governing classified\ninformation and systems and examined the security of seven classified systems at NARA.\nWe interviewed IT Security personnel, system owners, and system and security\npersonnel. Further, we obtained available classified system security documentation. We\ncompared the implementation of NARA\xe2\x80\x99s Classified Information Security Program (as it\nrelates to Information Systems) to NARA policy and Federal requirements, specifically:\nthe Federal Information Security Management Act of 2002, (Public Law 107-347 Sec.\n301); Executive Order 13526, Classified National Security Information; National Institute\nof Standards and Technology (NIST) SP 800-37, Guide for Applying the Risk\nManagement Framework to Federal Information Systems; NIST SP 800-53,\nRecommended Security Controls for Federal Information Systems and Organizations;\nNIST SP 800-59, Guideline for Identifying an Information System as a National Security\nSystem; and Director of Central Intelligence 6/3, Protecting Sensitive Compartmented\nInformation within Information Systems.\n\nOur audit work was performed at Archives I and Archives II between February 2011 and\nJune 2012 (however, audit work was postponed at times due to limited staffing\nresources). We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n\n\n                                        Page 6\n                     National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 12-15\n\n\nAudit Results\n\n1. Implementation of Risk Management Framework on NARA\xe2\x80\x99s\nClassified Information Systems\nAlthough NARA has developed classified information system policies in accordance with\nFederal guidelines, the Office of Information Services personnel, system owners, and\ndesignees responsible for ensuring the confidentiality, integrity, and availability of\nNARA classified systems have not consistently implemented these requirements.\nSpecifically, this is apparent in the classified systems risk management process. Of the\nseven systems reviewed, only one has a current authorization to operate. This condition\nexists because required coordination efforts between Information Security personnel,\nsystem owners, and authorizing officials were not conducted and authorization packages\nwere not appropriately completed or updated. As a result, NARA lacks assurance its\nclassified data and systems are secure from numerous threats and vulnerabilities.\n\nNIST Special Publication 800-37, Guide for Applying the Risk Management Framework\nto Federal Information Systems, includes guidelines for conducting the activities of\nsecurity categorization, security control selection and implementation, security control\nassessment, information system authorization, and security control monitoring. Further,\nNIST SP 800-37 identifies three key documents used in support of the risk management\nprocess, these include: 1) security plans; 2) security assessment reports; and 3) plans of\nactions and milestones. These documents are used by authorizing officials to make risk-\nbased decisions in the security authorization process for their information systems.\n\nNIST SP 800-53, Recommended Security Controls for Federal Information Systems and\nOrganizations, provides additional guidance on risk management through the\nimplementation of security controls. These guidelines apply to all components of\ninformation systems that process, store, or transmit Federal information, including\nclassified systems. NIST SP 800-53 states secure information systems require well-\ndefined security requirements and security specifications, as well as comprehensive\nsystem security planning and life cycle management. These guidelines identify the\nsecurity plan as an important component of the process. NIST SP 800-53 defines the\nsecurity plan as the formal document providing an overview of the security requirements\nfor an information system, which describes the security controls in place or planned for\nmeeting those requirements.\n\nNARA policy incorporates many of the NIST guidelines related to the risk management\nof classified systems. Specifically, NARA IT Security Requirements, within the scope of\nthis audit, establishes requirements related to the security planning, risk assessment, and\n                                         Page 7\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 12-15\n\n\nsecurity authorization. These requirements include the development and update of\nsystem security plans, security assessment reports, and plans of actions and milestones.\nFurther, NARA policy requires the Office of Information Services to ensure information\nsystems are authorized to operate and the security authorizations are updated at least\nannually.\n\nClassified System Authorization Documentation\n\nNARA has outlined procedures to meet the Authorization requirements of the Risk\nManagement Framework. Specifically, NARA IT Security Methodology for C&A and\nSecurity Assessment describes the documentation and assessment results used by\nNARA\xe2\x80\x99s authorizing officials. These documents and reports, which are included in the\nsystem authorization packages, provide essential information needed to make risk-based\ndecisions on whether to authorize operation of information systems or designated sets of\ncontrols. The chart below provides an overview of the authorization package documents.\n\nFigure 1. Key Authorization Package Documents\n\n\n\n\nSecurity Plan. According to NARA\xe2\x80\x99s C&A Methodology, the security plan is prepared\nby the information system owner. The security plan provides an overview of the security\nrequirements and describes the security controls in place or plans for meeting those\nrequirements. The security plan also contains information related to risk assessments,\ncontingency planning, and the continuous monitoring strategy. NARA IT Security\nRequirements stipulate classified system security plans must be reviewed and updated at\nleast annually.\n\nThe Office of IT Security provided security plans for each of the seven classified systems\nreviewed during this audit. However, none had been updated within the last year in\naccordance with NARA requirements. Most of the security plans reviewed had last been\napproved over four years ago with no further indication of updates or revisions. Further,\na majority of the classified system security plans reviewed listed retired NARA personnel\nin key security roles for the systems. In addition, a number of the security plans\n\n                                        Page 8\n                     National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 12-15\n\n\nidentified important security controls that required strengthening. However, there is no\nevidence such activities took place. The deficiencies identified relate to setting audit log\nfiles to read only access, developing off-site backup storage requirements, auditing\nsystem-level actions, and establishing appropriate access password controls.\n\nSecurity Assessment Report. NARA\xe2\x80\x99s C&A Methodology indicates the security\nassessment report is prepared by the security control assessor. The security assessment\nreport provides the results of assessing the implementation of the security controls\nidentified in the security plan to determine the extent to which the controls are\nimplemented correctly, operating as intended, and producing the desired outcome with\nrespect to meeting the specified security requirements. NARA\xe2\x80\x99s C&A Methodology\nstates the security assessment report is to be updated on an ongoing basis whenever\nchanges are made to the security controls employed within or inherited by the\ninformation system.\n\nFurther, NARA IT Security Requirements state IT Security staff shall assess the security\ncontrols in the information system at least annually. Updates to the security assessment\nreport help ensure the information system owner, common control provider, and\nauthorizing officials maintain the appropriate awareness with regard to security control\neffectiveness. In addition, NARA policy requires security assessment reports to contain a\nlist of recommended corrective actions for any weaknesses or deficiencies identified in\nthe security controls.\n\nThe Office of IT Security provided security assessment reports for each of the classified\nsystems reviewed. All seven of the assessment reports were completed in September\n2010. Updates were requested, however, IT Security personnel indicated the September\n2010 security assessment reports were the most recent. Although seven assessment\nreports were provided, one of the classified systems reviewed has four different instances,\neach located at a different facility across the country. Despite the unique security\nconcerns of each location, only one security assessment was conducted for all four\ninstances, focusing on only one location. Further, the security assessment reports for the\nseven classified systems identified a combined total of over 315 failures. A number of\nthese control failures were identified across all classified systems reviewed, these\nsystemic control failures involve:\n\n   \xe2\x80\xa2   Response to Audit Processing Failures,\n   \xe2\x80\xa2   Baseline Configuration,\n   \xe2\x80\xa2   Configuration Settings,\n   \xe2\x80\xa2   Least Functionality,\n   \xe2\x80\xa2   Vulnerability Scanning, and\n   \xe2\x80\xa2   Malicious Code Protection.\n\n                                         Page 9\n                      National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 12-15\n\n\nFurther, 54 particular controls failed in three or more of the seven classified systems\nreviewed. Despite these failures, recommended corrective actions were not typically\ndocumented in the security assessment reports, as required. In addition, many of the\ndocuments used in support of the security assessments\xe2\x80\x94such as the system security plans\nmentioned previously\xe2\x80\x94have not been updated in the past three or four years, which\nfurther degrades the accuracy of the assessments.\n\nPlan of Action and Milestones (POA&M). NARA\xe2\x80\x99s C&A Methodology assigns the\nresponsibility of preparing the POA&M to the system owner or common control\nprovider. The POA&Ms describe specific measures planned to correct weaknesses or\ndeficiencies in security controls identified during the security assessment and to address\nknown vulnerabilities in the information system. NARA IT Security Requirements state\nthe system owner shall update existing POA&Ms not less than annually based on the\nfindings from security controls assessments, security impact analyses, and continuous\nmonitoring activities.\n\nThe Office of IT Security provided POA&Ms for six of the seven classified systems\nreviewed. Although each of the systems underwent a security assessment in September\n2010, none of the POA&Ms were updated to reflect the more recent weaknesses\nidentified. Further, the POA&Ms provided listed nearly 90 weaknesses that are still\nclassified as \xe2\x80\x9congoing,\xe2\x80\x9d some of which date back to 2006. Examples of these ongoing\nweaknesses include:\n\n   \xe2\x80\xa2   Antivirus software/application not installed/updated;\n   \xe2\x80\xa2   Need for Sensitive Compartmented Information Facility (SCIF) accreditation\n       renewal;\n   \xe2\x80\xa2   Inadequate labeling of hardware to reflect appropriate classification level;\n   \xe2\x80\xa2   SCIF is not in accordance with Director of Central Intelligence Directive (DCID);\n   \xe2\x80\xa2   Insecure/not properly retained audit logs;\n   \xe2\x80\xa2   Inadequate review of audit logs;\n   \xe2\x80\xa2   Uncleared personnel allowed to perform maintenance on classified system\n       without being recorded on the maintenance log;\n   \xe2\x80\xa2   Co-location of classified workstations with lower classified systems;\n   \xe2\x80\xa2   System Security Plans not updated to reflect actual processes or state of system;\n   \xe2\x80\xa2   Lack of data sanitizing procedures;\n   \xe2\x80\xa2   Duties and responsibilities of the System Administrator had not been developed in\n       accordance with DCID 6/3;\n   \xe2\x80\xa2   Adequate password policies not implemented;\n   \xe2\x80\xa2   Lack of configuration management policies; and\n   \xe2\x80\xa2   Inadequate backup process.\n\n                                         Page 10\n                      National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 12-15\n\n\nMany of the POA&Ms reviewed state \xe2\x80\x9ckeeping the documentation current is a simple\nprocess and is well worth the minimal effort and cost in the long-run.\xe2\x80\x9d However, this\n\xe2\x80\x9cminimal effort\xe2\x80\x9d to reduce the risk of NARA\xe2\x80\x99s classified systems is not consistently\nperformed. Further, a number of the weaknesses documented in the POA&Ms (and listed\nabove) remain as control failures in the most recent Security Assessments. When asked\nwhy the documentation had not been updated or tracked, the Office of Information\nServices indicated it is difficult to obtain required documentation from system owners\nand despite establishing cutoff dates, system owners \xe2\x80\x9cfile away the POA&Ms and do\nnothing with them.\xe2\x80\x9d\n\nContinuous Monitoring\n\nAs mentioned previously, according to NARA\xe2\x80\x99s C&A Methodology, system security\nplans document the continuous monitoring strategy for each system. Further, NARA IT\nSecurity Requirements state for all data, the IT Security Staff must establish a continuous\nmonitoring strategy and implement a continuous monitoring program. This includes\nongoing security control assessments, annual reporting of the security state of the\ninformation system, and for data deemed by the NARA system owner to require\nadditional integrity protection, NARA IT Security staff shall plan, schedule, and conduct\nsecurity assessments to ensure compliance with all vulnerability mitigation procedures.\n\nDespite the requirements to include a continuous monitoring strategy within the classified\nsystem security plan, none of the systems reviewed contained such information. Most of\nthe classified system security plans do not mention continuous monitoring, or generally\nstate \xe2\x80\x9cdetection and/or monitoring tools are not required because [the classified system] is\na self-contained system with no external connectivity.\xe2\x80\x9d However, according to NIST\nguidance, automated support tools are only one component of continuous monitoring.\nThe process also includes\xe2\x80\x94among other monitoring activities\xe2\x80\x94assessing the security\nimpacts on an information system resulting from planned and unplanned changes to the\nhardware, software, firmware, or environment of operation\xe2\x80\x94using people, processes, and\ntechnologies.\n\nNARA IT Security personnel stated most of NARA\xe2\x80\x99s continuous monitoring processes\nare being developed to work over the network, therefore, the classified systems\xe2\x80\x94which\nare standalone\xe2\x80\x94will not benefit. IT Security personnel stated they are still struggling\nwith continuous monitoring of the unclassified systems, let alone classified systems.\nHowever, NARA\xe2\x80\x99s C&A Methodology states failure to maintain an effective continuous\nmonitoring program may be grounds for rescinding an authorization decision. Without\ncurrent classified system security information made available through continuous\nmonitoring, authorizing officials are limited in their ability to make risk-based decisions.\n\n\n\n\n                                         Page 11\n                      National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 12-15\n\n\nAuthorization Status of NARA\xe2\x80\x99s Classified Information Systems\n\nThe documentation used to support management\xe2\x80\x99s risk assessments of classified systems\nis incomplete, outdated, and inconsistent. The three key documents approving authorities\nuse in their assessments of the classified systems: System Security Plans, Security\nAssessment Reports, and Plans of Actions and Milestones do not reflect the level of\ndetail or current information needed to justify approval. As a result, of the seven systems\nreviewed, only one has been certified and authorized to operate. According to IT\nSecurity personnel\xe2\x80\x94for certain high confidentiality systems\xe2\x80\x94NARA has had difficulty\nin getting authorization feedback from the Central Intelligence Agency, which has\nimpaired the timely authorization of these systems. However, this does not account for\nthe incomplete and outdated authorization packages NARA is using. Complete and\nacceptable packages should have been assembled, compiled, and submitted by the system\nowner prior to the authorization decision.\n\nNARA IT Requirements state that for all data, the NARA Office of Information Services\nshall ensure the authorizing official authorizes the information system for processing\nbefore commencing operations. DCID 6/3, Protecting Sensitive Compartmented\nInformation within Information Systems, provides similar authorization to operate\nrequirements for SCI systems. DCID 6/3 states if the designated approving authority\nneither accredits the system, nor grants an interim approval to operate, then the requestor\nmust modify the system or its safeguards, and repeat the accreditation process until the\nsystem is accredited, granted interim approval to operate, or disallowed to operate.\nDespite these requirements, NARA classified systems continue to operate without current\nauthorizations. When asked if any of the classified systems were shut down, Office of IT\nSecurity personnel stated NARA does not shut down systems, even if they do not have an\nauthorization to operate. This stance by the Office of IT Security weakens NARA\xe2\x80\x99s\nClassified Information Security Program by allowing systems to run without ensuring\ncompliance with all confidentiality and vulnerability mitigation procedures.\n\nImplications of Inadequate Risk Management Framework Implementation\n\nNARA has established policy to protect classified systems from the elevated risks\nassociated with such systems, yet classified systems continue to operate without meeting\nthe security requirements established to ensure confidentiality, integrity, and availability.\nAs a result\xe2\x80\x94in the current environment in which agencies are on heightened alert over\nrecent classified system breaches\xe2\x80\x94NARA lacks assurance its classified data and systems\nare secure and controls are in place and effective in protecting classified data against\nthreats and vulnerabilities.\n\n\n\n\n                                         Page 12\n                      National Archives and Records Administration\n\x0c                                                          OIG Audit Report No. 12-15\n\n\nRecommendations\n\nWe recommend the Executive for Information Services/Chief Information Officer (I), in\ncoordination with the Chief Operating Officer (C):\n\n   1. Ensure all classified system authorization packages are updated in accordance\n      with NARA policy;\n   2. Establish a timeline for review and approval of authorization documents;\n   3. Develop a continuous monitoring strategy for classified systems requiring system\n      owners on at least a quarterly basis to assess security controls and inform\n      authorizing officials when changes occur that may impact the security of the\n      system; and\n   4. Obtain authorizations to operate for each of the classified systems or disallow\n      them in accordance with NARA and Federal policy.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                       Page 13\n                    National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 12-15\n\n\n2. Oversight and Security Control of NARA\xe2\x80\x99s Classified Information\nSecurity Program\nNARA IT officials and designated personnel at all levels are not meeting their\nresponsibilities in the oversight, protection, and control of classified information systems\nin accordance with NARA\xe2\x80\x99s Classified Information Security Program. This is due to a\ngeneral lack of accountability and coordination by the Office of Information Services,\nsystem owners, and security and system personnel\xe2\x80\x94specifically in terms of\naccomplishing classified information system security requirements. As a result, NARA\nis hindered in its ability to adequately identify and reduce the vulnerabilities and control\nfailures associated with its classified systems, which places the confidentiality and\nsecurity of classified information at risk.\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires each\nagency to develop, document, and implement an agencywide information security\nprogram. The program is to provide information security for the information and\ninformation systems supporting the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source. Further, FISMA\nrequires the information security program to include periodic assessments of the risk and\nmagnitude of the harm that could result from the unauthorized access, use, disclosure,\ndisruption, modification, or destruction of information and information systems that\nsupport the operations and assets of the agency, including classified systems.\n\nWithin the scope of classified information systems and security, NARA has issued two\nprimary Directives. The first of these, NARA Directive 202, NARA Classified\nInformation Security Program, establishes NARA\xe2\x80\x99s Classified Information Security\nProgram and identifies the responsibilities of NARA officials and designated personnel in\nthe protection and control of classified national security information. In addition, NARA\nDirective 202 is supplemented by the NARA Classified Information Security Program\nHandbook. The purpose of the handbook is to serve as a \xe2\x80\x9chow to\xe2\x80\x9d guide for the NARA\nInformation Security Officer and Information Security Program Managers to use in\npromoting a viable and dynamic classified information security program.\n\nThe second Directive, NARA 804, Information Technology Systems Security, establishes\npolicy and guidance for securing all electronic information collected or maintained by or\non behalf of NARA, and the electronic information systems used or operated by or on\nbehalf of NARA. NARA 804 defines the role of IT security in the context of an overall\nenterprise architecture. In addition, the Directive delineates the security management\nprogram structure, assigns responsibilities, and creates a foundation to manage progress\nand compliance.\n\n                                         Page 14\n                      National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 12-15\n\n\nClassified Information Security Program Responsibilities\n\nNARA\xe2\x80\x99s policy outlines Classified Information Security Program roles and\nresponsibilities starting at the head of the agency and ending at the final user of the\ninformation. The Archivist is responsible for committing senior management and\nresources to the successful implementation of the program. Other key roles\xe2\x80\x94within the\nscope of this audit\xe2\x80\x94include the Chief Information Officer, Chief Information Security\nOfficer, IT Security Staff, System Owner, Information System Security Officer, and\nInformation Security Program Manager. The responsibilities of these roles as they relate\nto classified information system security are outlined below:\n\nChief Information Officer (CIO). The CIO ensures development and implementation of\nthe NARA IT Security program and NARA IT security architecture conform to all\nNARA and other Federal standards, policies, and guidelines. The CIO is the designated\nauthorizing official for agency-wide general support systems and is the co-authorizing\nofficial with other senior officials for selected agency information systems. The CIO\ndesignates the senior agency information security officer.\n\nChief Information Security Officer (CISO). The CISO is the senior agency information\nsecurity officer responsible for the implementation of NARA 804 and its policies. The\nCISO directs the NARA IT Security Program with the mission and resources to assist in\nensuring agency compliance with FISMA. Further, the CISO is the agency official\nresponsible for carrying out the chief information officer responsibilities under FISMA.\n\nIT Security Staff. The IT Security staff plans and manages the IT Security program in\nconformance with the IT Security Architecture. The staff assists in the development of\nthe security architecture, assures the appropriate integration of security controls as part of\nthe systems engineering process, and provides guidance and assistance to systems owners\non matters of IT security.\n\nSystem Owner. The system owner is the official responsible for the procurement,\ndevelopment, and operation and maintenance of the system. Further, the system owner is\nresponsible for developing and submitting the authorization package. System owners\nalso evaluate the cost and benefits of system features, including the security costs of\nmitigating vulnerabilities associated with the system. In addition, system owners identify\nor designate responsibility for the Information Systems Security Officer.\n\nInformation Systems Security Officer (ISSO). The ISSO has the responsibility to ensure\nthe appropriate operational security posture is maintained for an IT system or program.\nThe ISSO assists in determining the security controls appropriate for the system, and\nprovides information necessary to complete regular assessments of the system and the\nPOA&M, which tracks response to internal and external audit findings.\n                                         Page 15\n                      National Archives and Records Administration\n\x0c                                                                  OIG Audit Report No. 12-15\n\n\n\nInformation Security Program Manager (ISPM). The ISPM develops standard operating\nprocedures addressing information security requirements specific to the activity for which\nthey are responsible. In addition, the ISPM assists the ISSO, in coordination with the\nsystem owner, as necessary to develop SSPs, risk assessments, contingency plans, obtain\ncertification and accreditation of all classified computer systems, and report computer-\nrelated security incidents for all computer systems under the control of their activity.\n\nBased on the roles listed above, NARA has developed multiple levels of oversight in its\ngovernance of the security and management of classified information systems. However,\ndespite these oversight and management roles, a number of Classified Information\nSecurity Program objectives and requirements remain unmet. The following section\ndescribes some of the management and implementation deficiencies identified in\nNARA\xe2\x80\x99s Classified Information Security Program as it relates to classified information\nsystems.\n\nImplementation of NARA\xe2\x80\x99s Classified Information Security Program\n\nA basic requirement in implementing a Classified Information Security Program involves\nestablishing and maintaining a current inventory of classified systems. However, during\nour tours of the Sensitive Compartmented Information Facilities (SCIFs) and a review of\nNARA\xe2\x80\x99s 2011 Performance and Accountability Report, we identified additional\nclassified systems not reflected in the inventory list provided by the Office of Information\nServices. Further, a number of the systems included in the inventory were considered to\nbe inactive or decommissioned. An OIG audit conducted in 2004 identified similar\ninadequacies pertaining to NARA\xe2\x80\x99s classified system inventory 2.\n\nFurther, NARA policy establishes requirements pertaining to information system\ncomponent inventory. NARA IT Security Requirements state for all data, the system\nowner shall develop, document, and maintain an inventory of information system\ncomponents that accurately reflects the current information system. In addition, for data\nrequiring greater integrity, the system owner shall verify all components within the\nauthorization boundary of the information system are either inventoried as a part of the\nsystem or recognized by another system as a component within that system. During our\ntour of classified facilities, we noted items within the classified system boundaries that\nwere not included in the component inventory list. These items included printers, toggle\nswitches, and a smart uninterruptible power supply backup.\n\n\n2\n NARA OIG Report No. 04-10, \xe2\x80\x9cAssessment of the Controls and Security of NARA Classified Systems,\xe2\x80\x9d\nMarch 31, 2004\n                                          Page 16\n                       National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 12-15\n\n\nAnother component of the Classified Information Security Program involves obtaining\nauthorization for the classified systems to operate (see Finding 1). NARA policy states it\nis the responsibility of the system owner to assemble, compile, and submit the\nauthorization package. In addition, as noted above, it is also the responsibility of the IT\nSecurity staff, ISSO, and ISPM to aid the system owner in this process. Therefore, in\norder for the authorization to take place, each classified system must have an appointed\nsystem owner who works in coordination with IT Security staff and designated system\nand security personnel.\n\nThe Office of IT Security provided the most recent system owner appointment letters for\nthe classified systems reviewed. Most of the letters were last signed in mid-2009. At\nleast one these appointed system owners no longer works at NARA. Two other system\nowners listed on appointment letters do not match those named in more recent system\ndocumentation. Further, one person who was appointed system owner to four classified\nsystems had relinquished these duties as a result of NARA\xe2\x80\x99s reorganization. At the time\nof this audit, new system owners had not been appointed.\n\nDue to the important role system owners play in the security of classified systems, it is\nvital that the appointments remain accurate and the system owners acknowledge their\nresponsibilities. Up-to-date appointment letters facilitate this acknowledgement by\nrequiring the system owners to sign and date the letter which outlines their\nresponsibilities. Some of the acknowledged responsibilities listed on the appointment\nletters provided include:\n\n   \xe2\x80\xa2   Ensuring security requirements for the system will be met;\n   \xe2\x80\xa2   Assigning, in writing, an ISSO;\n   \xe2\x80\xa2   Informing the Office of IT Security of the need to conduct a certification and\n       accreditation of the system; and\n   \xe2\x80\xa2   Ensuring adequate resources are available for the certification and accreditation\n       effort.\n\nDespite these acknowledged requirements, six out of the seven System Security Plans\xe2\x80\x94\nwhich are required to provide overviews of the security requirements and security\ncontrols in place for each of the systems\xe2\x80\x94have not been updated in over three years.\nAdditionally, of the seven systems reviewed, the Office of IT Security was only able to\nprovide signed ISSO appointment letters for four systems. Further, only one of the seven\nclassified systems had a current certification and accreditation.\n\nIn addition to the responsibilities listed above, the system owner appointment letters state\nthe system owners may delegate day-to-day authority, as applicable, to an ISSO to\n\n\n                                         Page 17\n                      National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 12-15\n\n\nperform a number of security duties. Examples of these duties include:\n\n   \xe2\x80\xa2   Providing and maintaining all documentation as required for the certification and\n       accreditation process and retaining the results from the Office of IT Security;\n   \xe2\x80\xa2   Taking appropriate steps to reduce or eliminate vulnerabilities;\n   \xe2\x80\xa2   Ensuring the development and annual update of the system security plan;\n   \xe2\x80\xa2   Deploying and operating the system according to the security requirements in the\n       system security plan;\n   \xe2\x80\xa2   Providing the continuous monitoring of the information system;\n   \xe2\x80\xa2   Coordinating the development of a Contingency Plan and ensuring the plan is\n       tested and maintained annually;\n   \xe2\x80\xa2   Establishing system-level POA&Ms and implementing corrective actions to\n       develop, implement, manage, and track these actions; and\n   \xe2\x80\xa2   Working closely with the Office of IT Security and other IT managers to ensure a\n       complete understanding of the risk.\n\nDespite the listing of these duties on the system owner and ISSO appointment letters,\nmost were not accomplished for the systems reviewed. For example, system personnel\nwere unable to provide requested certification and accreditation documents. Further,\nefforts to address ongoing vulnerabilities have been lacking, some POA&Ms with\nidentified deficiencies have not been updated in the past four years. Additionally, IT\nSecurity staff indicated continuous monitoring efforts of classified systems have been\nminimal.\n\nThe appointment letters also include duties involving contingency planning. NARA IT\nSecurity Requirements establishes system owners must develop contingency plans for all\ninformation systems. System owners are required to review the plans at least annually.\nFurther, the contingency plans are required to be reviewed and approved by NARA\nSecurity staff.\n\nIT Security personnel were able to provide updated contingency plans for five of the\nseven classified systems reviewed. However, none of the contingency plans showed\nevidence of NARA Security staff review or approval, as required. In addition, five of the\nseven Security Assessment Reports associated with these systems identified contingency\nplanning failures. Further, a number of issues were identified in the contingency plans\nprovided, some of which include:\n\n   \xe2\x80\xa2   System owner designation that differs from appointment letter;\n   \xe2\x80\xa2   Incomplete key personnel contact lists;\n\n\n\n\n                                        Page 18\n                     National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 12-15\n\n\n   \xe2\x80\xa2   Contingency plan responsibilities assigned to a position that is vacant or\n       unidentified; and\n   \xe2\x80\xa2   Incomplete records documenting changes to the contingency plan.\n\nFor classified systems requiring moderate or high availability, NARA IT Security\nRequirements stipulate the NARA system owner shall plan for the resumption of essential\nmissions and business functions within 24 hours for classified information systems of\ncontingency plan activation. Further, the NARA system owner shall plan for the full\nresumption of missions and business functions within 5 days of contingency plan\nactivation. According to the system documentation provided, two of the seven systems\nreviewed required elevated levels of availability. However, of these two classified\nsystems, neither had contingency plans or test plans reflecting this heightened availability\nlevel.\n\nNARA IT Security Requirements state the system owner or ISSO shall test or exercise the\ncontingency plan at least annually to determine the plan\xe2\x80\x99s effectiveness, as well as the\nsystem owner or ISSO\xe2\x80\x99s readiness to execute the plan. Further, for classified systems,\nsystem owners are required to conduct backups of user-level and system-level\ninformation contained in the information system at least weekly. IT Security Personnel\nwere able to provide test plans for five of the seven classified systems reviewed. Despite\nthe annual requirement, only four of the classified system contingency test plans were\nupdated in the past year. Of those four, only one contained complete and detailed results.\nFurther, Security Assessment Reports identified failures related to system backups in four\nof the seven classified systems reviewed.\n\nAnother duty listed on the appointment letters involves working closely with the Office\nof IT Security and other IT managers to ensure a complete understanding of the risk.\nThis is further detailed in NARA 804, which identifies providing guidance and assistance\nto system owners as one of the roles of IT Security staff.\n\nDuring our audit interviews, system owners, ISSOs, and designees were asked about\nsystem documentation efforts and status. Interviewees were often unaware of the status\nof the key oversight and security documents for their respective systems. Further, despite\nbeing responsible for maintaining certification and accreditation documents, the\ninterviewees were often unable to provide copies. The IT Security staff responsible for\nassisting system owners stated most of the classified system owners do not have an IT\nbackground. As a result, IT Security staff indicated system owners face difficulties in\nmeeting their more technical responsibilities.\n\nConversely, some system owners mentioned they did not always receive adequate\nfeedback from the Office of IT Security during the authorization process. Examples\nincluded providing the Office of IT Security with updates to documents without ever\n                                         Page 19\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 12-15\n\n\nhearing back from them and not obtaining results of security assessments performed by\nthe Office of IT Security. Further, discrepancies existed between systems owners and the\nOffice of IT Security regarding responsibility for implementing corrective actions. The\nchart below (Figure 2) depicts the status of key system documents for the seven classified\nsystems reviewed.\n\nFigure 2. Status of Key System Documents\n\n               Authorized      Updated                      Updated     Adequate\n                                             Complete\n  System           to          Security                    Contingency Contingency\n                                             POA&M?\n                Operate?        Plan?                        Plan?      Plan Test?\nClassified\n                   No             No             No             No              No\nSystem #1\nClassified\n                   No             No             No             Yes             No\nSystem #2\nClassified\n                   No             No             No             Yes             No\nSystem #3\nClassified\n                   No             No             No             Yes             No\nSystem #4\nClassified\n                   No             No             No             Yes             No\nSystem #5\nClassified\n                   Yes            No             No             Yes            Yes\nSystem #6\nClassified\n                   No             No             No             No              No\nSystem #7\n\n\nNARA policy establishes roles and responsibilities to ensure IT Security Staff, systems\nowners, ISSOs, and ISPM assist one another in completing system security\ndocumentation used in the certification and accreditation, contingency planning, and\nsecurity efforts of each classified system. The status of the documents listed above\nillustrates a need for greater accountability and coordination in the implementation of\nNARA\xe2\x80\x99s Classified Information Security Program as it relates to classified information\nsystems. The Office of IT Security acknowledged the security documentation for\nclassified systems were not kept up-to-date. Difficulty in obtaining documentation from\nsystem owners was cited as the main factor in the lack of current security documentation.\n\nImplications of Inadequate Oversight and Security Control of Classified Systems\n\nAlthough NARA policy establishes responsibility for the CIO and CISO to implement\nNARA\xe2\x80\x99s IT Security program and NARA Directive 804 requirements, numerous\ninadequacies identified in our review of NARA\xe2\x80\x99s classified information systems indicate\nthis responsibility is not being fulfilled. Specifically, NARA classified systems are not\nappropriately authorized, system security documentation is not complete, and key system\n\n                                        Page 20\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 12-15\n\n\nand security personnel have not been appointed to support these efforts, as required.\nWithout the proper oversight and accountability to ensure implementation of NARA\xe2\x80\x99s\nClassified Information Security Program as relates to classified information systems,\nNARA is hindered in its ability to adequately identify and reduce the vulnerabilities and\ncontrol failures associated with its classified systems, which places the confidentiality\nand security of classified information at risk.\n\nRecommendations\n\nWe recommend the Executive for Information Services/Chief Information Officer (I), in\ncoordination with the Chief Operating Officer (C):\n\n   5. Re-evaluate responsibilities among IT Security staff, system owners, ISSOs, and\n      ISPMs to ensure they match the required expertise within each role;\n   6. Ensure that IT officials, system owners, and system and security personnel are\n      aware of their classified system oversight roles and responsibilities;\n   7. Maintain current documentation to support each system has an appointed system\n      owner and ISSO; and\n   8. Ensure all contingency plans are updated, completed, reviewed, and tested in\n      accordance with NARA policy.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                        Page 21\n                     National Archives and Records Administration\n\x0c                                                   OIG Audit Report No. 12-15\n\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations\n\nC&A     Certification and Accreditation\nDCID    Director of Central Intelligence Directive\nISSO    Information System Security Officer\nIT      Information Technology\nNARA    National Archives and Records Administration\nOIG     Office of Inspector General\nPOA&M   Plan of Actions and Milestones\nSCI     Sensitive Compartmented Information\nTS      Top Secret\n\n\n\n\n                                 Page 22\n              National Archives and Records Administration\n\x0c                                                 OIG Audit Report No. 12-15\n\n\nAppendix B - Management\xe2\x80\x99s Response to the Report\n\n\n\n\n                               Page 23\n            National Archives and Records Administration\n\x0c                                                          OIG Audit Report No. 12-15\n\n\nAppendix C - Report Distribution List\n\nDavid S. Ferriero, Archivist of the United States (N)\nTom Mills, Chief Operating Officer (C)\nMichael Wash, Executive for Information Services and Chief Information Officer (I)\nMary Drak, Performance and Accountability Staff (CP)\n\n\n\n\n                                       Page 24\n                    National Archives and Records Administration\n\x0c'